Not Safe for Work: Tracking and Investigating Stealerium and Phantom Infostealers
Essential information
- Published
- 04/09/2025 00:59
- Modified
- 04/09/2025 08:16
- Tags
- 2025-09-04 anti-analysis cybercrime data exfiltration infostealer phantom stealer snake keylogger stealerium warp stealer
- Related entities
- 8 observables, 1 intrusion sets (apt), 14 techniques (mitre), 4 malware, 4 others
Description
Proofpoint researchers have observed an increase in cybercriminals using Stealerium-based malware, an open-source infostealer available on GitHub. Multiple stealers share code with Stealerium, including Phantom Stealer. Campaigns delivering Stealerium have used various lures and file types, targeting industries like hospitality, education, and finance. The malware can exfiltrate a wide range of data, including browser credentials, credit card info, and crypto wallet data. It uses anti-analysis techniques and can exfiltrate data through multiple channels like SMTP, Discord, and Telegram. The rise in Stealerium usage reflects the growing trend of threat actors pivoting to information stealers as identity theft becomes a priority.